PHP :: Bug #48951 :: calling get_defined_constans with any paramenter results in sigsev

Bug #48951

calling get_defined_constans with any paramenter results in sigsev

Submitted:

2009-07-16 22:59 UTC

Modified:

2009-07-30 01:00 UTC

Votes:	8
Avg. Score:	4.1 ± 1.2
Reproduced:	8 of 8 (100.0%)
Same Version:	7 (87.5%)
Same OS:	4 (50.0%)

From:

rajivk at sparklit dot com

Assigned:

Status:

No Feedback

Package:

Apache related

PHP Version:

5.2.10, 5.3.0

OS:

Debian Linux

Private report:

CVE-ID:

None

View Developer Edit

[2009-07-16 22:59 UTC] rajivk at sparklit dot com

Description:
------------
Calling get_defined_constants with a parameter causes a segfault.  The occurs in 5.2.10 and 5.3.0



Reproduce code:
---------------
=== case 1 causes crash ======

<?
var_dump(get_defined_constants(false));
?>
=============================================

=== case 2 also causes crash ======

<?
var_dump(get_defined_constants(false));
?>
=============================================

=== case 3 NO CRASH  ======

<?
var_dump(get_defined_constants());
?>
=============================================




Expected result:
----------------
no crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb73b1910 (LWP 15496)]
0xb77a2b01 in kill () from /lib/libc.so.6
(gdb) bt
#0  0xb77a2b01 in kill () from /lib/libc.so.6
#1  0x0810ace9 in zend_mm_panic (message=0x84d1d40 "zend_mm_heap corrupted") at /usr/src/2009july15/php-5.2.10/Zend/zend_alloc.c:94
#2  0x0810d45f in _zend_mm_alloc_int (heap=0x89f7b70, size=44, __zend_filename=0x84d57d8 "/usr/src/2009july15/php-5.2.10/Zend/zend_hash.c", __zend_lineno=247,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/2009july15/php-5.2.10/Zend/zend_alloc.c:1895
#3  0x0810e6d6 in _emalloc (size=44, __zend_filename=0x84d57d8 "/usr/src/2009july15/php-5.2.10/Zend/zend_hash.c", __zend_lineno=247, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/src/2009july15/php-5.2.10/Zend/zend_alloc.c:2300
#4  0x08135f7b in _zend_hash_add_or_update (ht=0x87cb62c, arKey=0x89d9fc0 "E_STRICT", nKeyLength=9, pData=0xbfcc367c, nDataSize=4, pDest=0x0, flag=1,
    __zend_filename=0x84d4f30 "/usr/src/2009july15/php-5.2.10/Zend/zend_hash.h", __zend_lineno=341) at /usr/src/2009july15/php-5.2.10/Zend/zend_hash.c:247
#5  0x0812e86d in zend_symtable_update (ht=0x87cb62c, arKey=0x89d9fc0 "E_STRICT", nKeyLength=9, pData=0xbfcc367c, nDataSize=4, pDest=0x0)
    at /usr/src/2009july15/php-5.2.10/Zend/zend_hash.h:341
#6  0x0812ecb4 in add_assoc_zval_ex (arg=0x87e5838, key=0x89d9fc0 "E_STRICT", key_len=9, value=0x87e4ccc) at /usr/src/2009july15/php-5.2.10/Zend/zend_API.c:1056
#7  0x0813f211 in zif_get_defined_constants (ht=1, return_value=0x87e58e0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /usr/src/2009july15/php-5.2.10/Zend/zend_builtin_functions.c:1674
#8  0x0814e496 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfcc3818) at /usr/src/2009july15/php-5.2.10/Zend/zend_vm_execute.h:200
#9  0x08153ead in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfcc3818) at /usr/src/2009july15/php-5.2.10/Zend/zend_vm_execute.h:1739
#10 0x0814dffa in execute (op_array=0x87c19b8) at /usr/src/2009july15/php-5.2.10/Zend/zend_vm_execute.h:92
#11 0x0812b810 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/2009july15/php-5.2.10/Zend/zend.c:1134
#12 0x080e4ad1 in php_execute_script (primary_file=0xbfcc5aec) at /usr/src/2009july15/php-5.2.10/main/main.c:2025
#13 0x081a47c1 in apache_php_module_main (r=0x87822bc, display_source_mode=0) at /usr/src/2009july15/php-5.2.10/sapi/apache/sapi_apache.c:53
#14 0x080d8792 in send_php ()
#15 0x080d87dd in send_parsed_php ()
#16 0x08468875 in ap_invoke_handler ()
#17 0x0847fe6d in process_request_internal ()
#18 0x0847feca in ap_process_request ()
#19 0x084760c0 in child_main ()
#20 0x084763f4 in make_child ()
#21 0x084767e2 in perform_idle_server_maintenance ()
#22 0x08476eb7 in standalone_main ()
#23 0x08477562 in main ()
(gdb) frame 10
#10 0x0814dffa in execute (op_array=0x87c19b8) at /usr/src/2009july15/php-5.2.10/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x84d5d1b "get_defined_constants"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x87c6284 "/home/rajivk/dev/webroot/forum/www/forum.sparklit.com/foobar.spark"
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-17 13:20 UTC] jani@php.net

I can not reproduce this with current PHP_5_2 / PHP_5_3 or HEAD branches. Exactly what was your configure line? What compiler and version? Can you reproduce it using CLI:

# php -n -r 'var_dump(get_defined_constants(false));'

[2009-07-20 20:42 UTC] rajivk at sparklit dot com

I can't reproduce it with the CLI at all. Here is the configure line:

'./configure' '--with-gd' '--with-mysql' '--with-apache=../apache_1.3.41' '--with-zlib' '--with-cybercash=/cybercash/mck' '--enable-memory-limit' '--enable-inline-optimization' '--with-gettext' '--with-xml' '--with-pspell' '--enable-memcache' '--with-curl' '--enable-mbstring' '--with-jpeg-dir=/usr/lib' '--enable-debug'

AND 


gcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --with-tune=generic --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Debian 4.2.4-6))

[2009-07-22 20:49 UTC] jani@php.net

Try without '--enable-inline-optimization' and do not set any 
optimization flags or such when configuring / compiling.

[2009-07-30 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 10 21:01:30 2025 UTC